Sign up to receive free email alerts when patent applications with chosen keywords are publishedSIGN UP

Abstract:

As a result of the inability to assign security in multiple applications
at one time, there is an opportunity to tie the disparate security
systems together. Security synchronization services is a method and
apparatus that uses roles to provide a common administration experience
for all applications that use it and fits better for new applications.

Claims:

1. A method of synchronizing security settings across a plurality of
computer applications comprising:obtaining authority to modify one or
more roles for a user in one or more applications;collecting roles in
each of the applications;selecting a user;selecting an application from
the plurality of applications;adjusting a role from the collected roles
for the user in the selected application;if a synchronization rule is
related to the adjusted role, executing the synchronization rule wherein
the synchronization rule adjusts a role for the user in one or more
additional applications.

2. The method of claim 1, wherein the adjustment is one selected from a
group comprising grant, change or remove.

3. The method of claim 1, further comprising obtaining a scope of the
roles from the application and if the application supports scope specific
roles, adjusting the scope specific roles for the user.

4. The method of claim 1, further comprising querying a directory for all
users and allowing the user to be selected from the found users.

5. The method of claim 1, further comprising adjusting the role for
multiple users at the same time.

6. The method of claim 1, further comprising adding the user to the roles
of another user.

7. The method of claim 1, further comprising creating a rule that if the
user is assigned a role in a first application, assigning a role in a
second application.

8. The method of claim 7, further comprising using web services to execute
the rules.

9. The method of claim 8, further comprising storing the rules as XML
files.

10. A user interface for a method of synchronizing security settings
across a plurality of computer applications comprising a display
for:displaying a user selection interface where a user is
entered;displaying a list of applications;displaying an application
selection interface where an application is selected from the displayed
list of applications;displaying a list of roles in the
application;displaying a role selection interface where a role is
selected from the displayed list of roles for the entered user thereby
adjusting the selected role for the user in the selected application;if a
synchronization rule is related to the adjusted role,displaying the
synchronization rule wherein the synchronization rule adjusts a role for
the entered user in one or more additional applications; anddisplaying a
rule synchronization interface where the synchronization rule is selected
to be executed.

11. The user interface of claim 10, wherein the displayed adjustments are
one selected from a group comprising grant, change or remove.

12. The user interface of claim 10, further comprising:if the application
supports scope specific roles,displaying a scope of the roles from the
selected application;displaying a scope of roles selection interface
where a scope is selected from the displayed scope thereby adjusting the
scope specific roles for the selected user.

13. The user interface of claim 10, further comprisingdisplaying a
directory of all users; anddisplaying a user selection interface where
the user is entered from the found users.

14. The user interface of claim 10, further comprising displaying an
option to select multiple users and adjust the role for selected multiple
users at the same time.

15. The user interface of claim 10, further comprising displaying an
option to add the selected user to the roles of another user.

16. The user interface of claim 10, further comprising:displaying a role
in a first application;displaying a plurality of roles in a second
application;displaying a user interface where the role in the second
application such that the role in the first application is equivalent to
the role in the second application thereby creating a rule of role
equivalence between the role in the first application and the selected
role in the second application.

17. A computer system comprising a processor physically configured in
accordance with computer executable instructions, a memory for assisting
the processor and an input/output circuit, the computer executable
instruction comprising instructions for synchronizing security settings
across a plurality of computer applications wherein the instructions
comprise instructions for:obtaining authority to modify one or more role
for a user in one or more applications;collecting roles in each of the
applications;querying a directory for all users and storing the user
query results;selecting a user from the user query results;selecting an
application from the plurality of applications;adjusting a role from the
collected roles for the user in the selected application wherein the
adjustment is one selected from a group comprising grant, change or
remove;obtaining a scope of the roles from the application and if the
application supports scope specific roles, adjusting the scope specific
roles for the user; andif a synchronization rule is related to the
adjusted role, executing the synchronization rule wherein the
synchronization rule adjusts a role for the user in one or more
additional applications.

18. The computer system of claim 17, further comprising computer
executable instructions for creating a rule that if the user is assigned
a role in a first application, assigning a role in a second application.

19. The computer system of claim 17, further comprising computer
executable instructions for storing the rules as XML files.

20. The computer system of claim 17, further comprising computer
executable instructions for using web services to execute the rules.

Description:

BACKGROUND

[0001]This Background is intended to provide the basic context of this
patent application and it is not intended to describe a specific problem
to be solved.

[0002]Today, users are faced with the task of setting up security in
multiple applications, most of which have a different security
infrastructure and administration experience. This task can be daunting
and frustrating. As more applications are integrated, it will become
increasingly important that users are provided a way to "hook all the
applications up" so that the applications work as expected. It is
unrealistic to expect administrators to manually set up, modify or remove
security in every application for every user. It also is unrealistic to
expect all applications to "snap" to a common security infrastructure as
most popular the applications that are integrated are already mature
applications with an established security infrastructure

SUMMARY

[0003]This Summary is provided to introduce a selection of concepts in a
simplified form that are further described below in the Detailed
Description. This Summary is not intended to identify key features or
essential features of the claimed subject matter, nor is it intended to
be used to limit the scope of the claimed subject matter.

[0004]As a result of the inability to assign security in multiple
applications at one time, there is an opportunity to tie the disparate
security systems together. The disclosed method and apparatus provides a
common administration experience for all applications that use it and
fits better for new applications by using roles to assign security. The
utility will provide the following capabilities: [0005]The ability to
synchronize role membership between disparate applications; [0006]The
ability to go to one place and add a user to multiple roles in multiple
applications at the same time, in one administration experience;
[0007]The ability to plug new providers in such that new applications can
easily plug and play if they can support the required interfaces; and
[0008]The ability to remove a user from multiple applications

[0009]The disclosed method and apparatus provides the ability to
synchronize in any direction by specifying a source and destination,
along with some rules about what should happen along the way. The actual
work of adding/removing users from roles is the responsibility of the
providers that are plugged in to the method, providing extensibility for
any application or security infrastructure that can be programmatically
accessed via some application programming interface.

BRIEF DESCRIPTION OF THE DRAWINGS

[0010]FIG. 1 is an illustration an illustration of exemplary hardware that
is used for a computing device to implement security synchronization
services;

[0011]FIG. 2 is an illustration of a method of synchronizing security
settings across a plurality of computer applications;

[0012]FIG. 3 illustrates a user interface for a method of synchronizing
security settings across a plurality of computer applications; and

[0014]Although the following text sets forth a detailed description of
numerous different embodiments, it should be understood that the legal
scope of the description is defined by the words of the claims set forth
at the end of this disclosure. The detailed description is to be
construed as exemplary only and does not describe every possible
embodiment since describing every possible embodiment would be
impractical, if not impossible. Numerous alternative embodiments could be
implemented, using either current technology or technology developed
after the filing date of this patent, which would still fall within the
scope of the claims.

[0015]It should also be understood that, unless a term is expressly
defined in this patent using the sentence "As used herein, the term
`______` is hereby defined to mean . . . " or a similar sentence, there
is no intent to limit the meaning of that term, either expressly or by
implication, beyond its plain or ordinary meaning, and such term should
not be interpreted to be limited in scope based on any statement made in
any section of this patent (other than the language of the claims). To
the extent that any term recited in the claims at the end of this patent
is referred to in this patent in a manner consistent with a single
meaning, that is done for sake of clarity only so as to not confuse the
reader, and it is not intended that such claim term by limited, by
implication or otherwise, to that single meaning. Finally, unless a claim
element is defined by reciting the word "means" and a function without
the recital of any structure, it is not intended that the scope of any
claim element be interpreted based on the application of 35 U.S.C. §
112, sixth paragraph.

[0016]Much of the inventive functionality and many of the inventive
principles are best implemented with or in software programs or
instructions and integrated circuits (ICs) such as application specific
ICs. It is expected that one of ordinary skill, notwithstanding possibly
significant effort and many design choices motivated by, for example,
available time, current technology, and economic considerations, when
guided by the concepts and principles disclosed herein will be readily
capable of generating such software instructions and programs and ICs
with minimal experimentation. Therefore, in the interest of brevity and
minimization of any risk of obscuring the principles and concepts in
accordance to the present invention, further discussion of such software
and ICs, if any, will be limited to the essentials with respect to the
principles and concepts of the preferred embodiments.

[0017]FIG. 1 is an illustration of exemplary hardware that may be used for
a computing device to implement the method described herein. The device
100 may have a processing unit 102, a memory 104, a user interface 106, a
storage device 108 and a power source 127. The memory 104 may include
volatile memory 110 (such as RAM), non-volatile memory 112 (such as ROM,
flash memory, etc.) or some combination of the two or any other form of
storage device The device 100 may also include additional storage 108
(removable and/or non-removable) including, but not limited to, magnetic
or optical disks or tape or any other memory. Such additional storage is
illustrated in FIG. 1 by removable storage 118 and non-removable storage
120. Computer storage media includes volatile and nonvolatile, removable
and non-removable media implemented in any method or technology for
storage of information such as computer readable instructions, data
structures, program modules, digital media, or other data.

[0018]The processing unit 102 may be any processing unit 102 capable of
executing computer code. When in a portable device, it may also be useful
if the processor 102 is efficient in using power to increase the life of
the power source. The processing unit 102 may also be used to execute
code to support a user interface and external communications.

[0019]The display 114 may be a color LCD screen or any other appropriate
display 114. User input(s) 116 may include a keyboard, manual buttons,
soft buttons, or a combination of both. In addition, the user input may
be gesture driven which may use no buttons or may be voice activated.
Soft buttons may be used when the display 114 includes a touch screen
capability. Manual buttons may include re-definable keys with
programmable legends. In operation, a user may use the user interface to
select an application.

[0020]The media 100 may also contain communications connection(s) 122 that
allow the device 100 to communicate with external entities 124, such as
network endpoints or a computer used for synchronization. Communications
connection(s) 122 is an example of communication media. Communication
media typically embodies computer readable instructions, data structures,
program modules or other data in a modulated data signal such as a
carrier wave or other transport mechanism and includes any information
delivery media. The term "modulated data signal" means a signal that has
one or more of its characteristics set or changed in such a manner as to
encode information in the signal. By way of example, and not limitation,
communication media includes wired media such as a wired network or
direct-wired connection, and wireless media such as acoustic, RF,
infrared and other wireless media. The term computer readable media as
used herein includes both storage media and communication media

[0021]The power source may be a battery that may be rechargeable. The
power source may also be a standard battery or an input from a power
converter or any other source of power.

[0022]At a high level, the described method may be exposed via console
such as a Microsoft Management Console which communicates with a
synchronization web service use a web services protocol. The console may
provide the ability to synchronize in any direction by specifying a
source and destination, along with some rules about what should happen
along the way. The actual work of adding/removing users from roles would
be the responsibility of the providers that are plugged in, providing
extensibility for any application or security infrastructure that can be
programmatically accessed via some application programming interface.

[0023]FIG. 2 is an illustration of a method of synchronizing security
settings across a plurality of computer applications. As a result of the
inability to assign security in multiple applications at one time, there
is an opportunity to tie the disparate security systems together with the
described method. The method may allow an administrator to synchronize
role membership between disparate applications, go to one place and add a
user to multiple roles in multiple applications at the same time, in one
administration experience, plug new providers in such that new
applications can easily plug and play if they can support the required
interfaces and the ability to remove a user from multiple applications.

[0024]At block 200, authority may be obtained to modify one or more roles
for a user in one or more applications. In most networks, an
administrator has the needed authority. A security role can be thought of
as a privilege granted to users or groups based on specific conditions.
In addition, in some cases, the roles in the applications may have to be
further defined. For example, role specific permissions may have to be
set for roles in each application.

[0025]At block 205, roles in each of the applications may be collected.
The roles may be collected by calling an API or other function designed
for this purpose. Some applications may be prepared to respond and some
may not. If an application does not have rolls or does not have the
necessary knowledge to respond, that application will be unable to be
synchronized without additional effort on the part of the administrator.

[0026]At block 210, a directory may be queried for all users and the user
may be selected from the found users. In some cases, the user in question
may already be known and may be directly entered. The scope of the
inquiry may be limited to a specific group in question or may be network
wide.

[0027]At block 215, an application may be selected from the plurality of
applications. In some embodiments, the application may known and entered
immediately. The applications may be obtained through a survey or through
a directory.

[0028]At block 220, a role from the collected roles for the user may be
selected in the selected application. The adjustment may be one of grant,
change or remove. On one embodiment, the role for multiple users may be
adjusted at the same time. In another embodiment, the user may be added
to the roles of another user. For example, if Employee A is an accounts
payable clerk and Employee B is a new accounts payable clerk, the roles
(and related security settings) may be copied from Employee A to Employee
B.

[0029]In some applications, roles are further broken down into scopes.
Accordingly, the method may obtain a scope of the roles from the
application. If the application supports scope specific roles, the scope
specific roles may be adjusted for the user.

[0030]At block 225, if a synchronization rule is related to the adjusted
role, the synchronization rule (or rules) may be executed. A
synchronization rule adjusts a role for the user in one or more
additional applications. More specifically, a rule may be created that if
the user is assigned a role in a first application, a known role may be
assigned in a second application.

[0031]FIG. 3 may illustrate a user interface 300 for a method of
synchronizing security settings across a plurality of computer
applications. Similar to FIG. 2, a directory of all users 305 may be
displayed. The users may be displayed in any manner such as in a drop
down box 310 and in the cases when the user is known, the user may be
directly entered. An option may be displayed to select multiple users 305
and adjust the role for selected multiple users at the same time.

[0032]A list of applications also may be displayed 315. An application
selection interface 320 may be displayed such as a drop down box where an
application may be selected from the displayed list of applications.

[0033]A list of roles 325 in the application 3315 may be displayed. A role
selection interface 330 may be displayed where a role 325 is selected
from the displayed list of roles 325 for the selected user 305. The
interface may be a simple drop down box or may be an entirely new
display. By selecting a role, the selected role 325 for the user in the
selected application 315 may be adjusted. The adjustments may be to add a
roll, remove a roll, upgrade a roll, down-grade a roll or simple change a
roll. An option may be displayed to add the selected user to the roles of
another user.

[0034]If the application supports scope specific roles, a scope 335 of the
roles 325 from the selected application may be displayed. A scope of
roles selection interface 340 may be displayed where a scope 335 selected
from the displayed scopes 335 may adjust the scope 335 specific roles 325
for the selected user 305. The interface may be a simple drop down box or
may be an entirely new display.

[0035]The interface 300 may display synchronization rules 345 that may be
related to the roll 325 selected. A rule synchronization interface 350
may be displayed where the synchronization rule 345 is selected to be
executed. The interface may be a simple drop down box or may be an
entirely new display. There also may be an option to create a new rule
355.

[0036]FIG. 4 may illustrate a user interface 400 for creating a new rule.
A role may have a name 402 and the name made be entered or selected. On
one side of the interface 400, a source 405 for the information may be
selected and on the other side, a destination 410 for the information may
be selected. On the source side 405, an application 415 may be selected,
a company 420 may be selected and a role 425 may be selected. In
addition, a status 430 notice may be displayed. Under the destination
410, an application 435 may be selected, a company may be selected 440
and a role 445 may be selected. In addition, a status notice may be
displayed 450. The status notice 430 and 450 may notify the administrator
if there are issues in reaching the applications, if proper authority is
not present, if authorization failed, etc. In addition, an option may be
displayed to synchronize 455 individual domain group users. This option
may be used when a source application supports the use of domain groups
as members but the destination application does not.

[0037]To make the method and apparatus work, in one embodiment, framework
such as .NET from Microsoft® and an application that defines the
concept of application providers. A main class may be used that defines
the interface between the generic subsystem and the specific application
role providers. The application role providers may have to implement the
main class for the application to be able to be part of a security
synchronization method. The class may have properties such as id, name
and unsupported entities. The class may have methods such as GetRoles,
GetScopes, DeleteRoleAssignment, CreateRoleAssignment,
GetSupportedOptions, RemoveApplicationROleAssignment and
GetAuditingInformation. Registering with the method may involve deriving
an abstract framework class that requires an application provider to
implement the methods. These methods may allow the method to retrieve
roll information from an application, persist role information to an
application and provide a host of additional functionality across the
applications without knowing any specific implementation details about
the application's authorization framework.

[0038]If an application supports roles, the application manufacture may
"plug in" their security infrastructure by adding an entry that points to
their provider assembly to support the described methods. The security
synchronization method may then register the provider to be called when
the application is launched the next time. By adding a configuration
entry to the application's configuration file, an application
manufacturer may plug in to the method. The following is sample code that
might be in the configuration file:

[0039]Each provider is unique and may or may not support all of the same
types of functionality of other providers. The following class defines
the supported options of a provider and is part of the
ApplicationRoleProvider interface. This information allows the user
experience to be customized based upon the providers in use and also
provides the ability to perform unique validation for each provider.

[0046]Providers may be managed by a ApplicationRoleProviderManager class.
This class instantiates the registered providers and may perform all of
the actual synchronization services between the various application role
providers. The ApplicationRoleProviderManager is the primary interface to
the user experience portion of the application. It "bootstraps" the
system and acts as a ApplicationRoleProvider factory. It also performs
functions that cross multiple application role providers.

[0058]In some embodiments, the web services protocol is used to interface
with the various applications such that the security synchronization
method may be available from any machine on a network.

[0059]Applications may have a variety of rolls and the rolls may not match
up exactly. Accordingly, rules may be created where if an employee is
granted roll A in application A, then the employee would be granted roll
B in application B. These rules may be stored individually or together.
The rule files may be stored in any format such as XML.

[0060]The following schema outlines a definition of a synchronization
rule. These rules may be serialized into something known as rule sets
which may be a collection of synchronization rules. These rule sets may
be stored in an XML file that can be consumed by the service.

[0079]Error checking classes also may be part of the synchronization
process. This provides the ability to validate entire objects without
returning only the first error found.

[0080]As a result of the method and apparatus, the burden on
administrators is reduced. All rights are centralized which makes
reporting and seeing rights easier. New users may be added and leaving
users may be removed in a manner that only requires opening a single
application. Similarly, users that have increases or decreases in rights
may have the rights modified from a single application.

[0081]Let's assume Chris, the IT Administrator, assigned all Accounting
Managers rights to the `Account Manager` role in the Business Portal
Administration Console by using the Mass Import of Users functionality.
Now let's assume Chris would like to grant all users he imported in the
`Account Manager` role rights to the necessary roles in Share Point so
that they can use Business Portal.

[0082]Chris opens the Dynamics Synchronization Service Console and selects
the Synchronize Roles action. Chris is presented with an option to select
a source application and chooses `BPSDK`. Now, a list of roles appears
that are present within the BPSDK application. He selects the `Account
Manager` role and states which company to utilize. He then selects a
destination application of `Share Point` and is presented with a list of
roles in that application. He selects the `Accounting Manager` role and
selects the synchronize button. All users present in the source
application role are synchronized to the destination role. Also, options
are available to delete users if not present in the source application,
create new roles in the destination application, etc.

[0083]Although the forgoing text sets forth a detailed description of
numerous different embodiments of the invention, it should be understood
that the scope of the invention is defined by the words of the claims set
forth at the end of this patent. The detailed description is to be
construed as exemplary only and does not describe every possibly
embodiment of the invention because describing every possible embodiment
would be impractical, if not impossible. Numerous alternative embodiments
could be implemented, using either current technology or technology
developed after the filing date of this patent, which would still fall
within the scope of the claims defining the invention.